Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
THE FUZZING PROJECT
Can we run C with fewer bugs?
Hanno Böck
https://hboeck.de/
2
WHO AM I?
Hanno Böck
Freelance journalist (Golem.de, Zeit Online, taz, LWN)
Started Fuzzing Project November 2014
Since ...
3
FUZZING?
Throw garbage at software
4
5
FUZZING BINUTILS
Hundreds of bugs
6
THE C PROBLEM
C/C++ responsible for many common bug classes (Buffer
overflows, use after free etc.)
Replacing C is good,...
7
THE PAST
Dumb fuzzing: Only finds the easy bugs
Template-based fuzzing: a lot of work for each target
8
AMERICAN FUZZY LOP
9
AMERICAN FUZZY LOP (AFL)
Smart fuzzing, quick and easy
Code instrumentation
Watches for new code paths
10
11
AFL SUCCESS STORIES
Bash Shellshock variants (CVE-2014-{6277,6278})
Stagefright vulnerabilities (CVE-2015-
{1538,3824,3...
12
FUZZING MATH
0x0505 05050505 ² mod 0x41 41414141 41414141 41412741 41414141 41414141
41414141 41414141 41414141 4141414...
13
0x0F FFFFFFFF FFFFFFFF^0 mod 1
= 0 or 1 ?
14
15
NETTLE ECC / NIST P256
point (0xFFFFFFFF 00000001 00000000 00000000 00000000
FFFFFFFF FFFFFFFF 001C2C00, 0x9731275B ...
16
ADDRESS SANITIZER (ASAN)
If you only take away one thing from this talk:
Use Address Sanitizer!
-fsanitize=address in g...
17
SPOT THE BUG!
int main() {
int a[2] = {1, 0};
printf("%i", a[2]);
}
18
19
ADDRESS SANITIZER HELPS
Finds lots of hidden memory access bugs like out of bounds
read/write (Stack, Heap, Global), us...
20
21
FINDING HEARTBLEED WITH
AFL+ASAN
Small OpenSSL handshake wrapper
AFL finds Heartbleed within 6 hours
LibFuzzer needs ju...
22
ADDRESS SANITIZER
If ASAN catches all these typical C bugs...
... can we just use it in production?
23
ASAN IN PRODUCTION
Yes, but not for free
50 - 100 % CPU and memory overhead
Example: Hardened Tor Browser
24
GENTOO LINUX WITH ASAN
Everything compiled with ASAN except a few core packages
(gcc, glibc, dependencies)
25
FIXING PACKAGES
Memory access bugs in normal operation.
These need to be fixed.
bash, shred, python, syslog-ng, nasm, s...
26
PROBLEMS / CHALLENGES
ASAN executable + non-ASAN library: fine
ASAN library + non-ASAN executable: breaks
Build system ...
27
IT WORKS
Running server with real webpages.
But: More bugs need to be fixed.
28
OTHER TOOLS
29
KASAN AND SYZCKALLER
KASAN: ASAN for the Linux Kernel.
syzkaller: syscall fuzzing similar to afl
30
UNDEFINED BEHAVIOR SANITIZER
(UBSAN)
Finds code that is undefined in C
Invalid shifts, int overflows, unaligned memory ...
31
AFL AND NETWORKING
Fuzzing network connections, experimental code by Doug
Birdwell
Usually a bit more brittle than file...
32
AFL AND ANDROID
Implementation from Intel just released
Promising (Stagefright)
Android Security desperately needs it
33
WHAT HAS THIS TO DO WITH FREE
SOFTWARE?
Remember the many eyes principle?
"Free software is secure - because everyone c...
34
QUESTION TO THE AUDIENCE
Do you develop / maintain software? In C?
Do you know / use Fuzzing and Address Sanitizer?
If ...
35
THANKS FOR LISTENING
Use Address Sanitizer!
Fuzz your software.
Questions?
https://fuzzing-project.org/
Upcoming SlideShare
Loading in …5
×

The Fuzzing Project - 32C3

1,350 views

Published on

Talk about Fuzzing at the Chaos Communication Congress 2015 (32C3). The talk was part of the Free Software Foundation Europe Assembly.

Published in: Technology
  • Be the first to comment

The Fuzzing Project - 32C3

  1. 1. 1 THE FUZZING PROJECT Can we run C with fewer bugs? Hanno Böck https://hboeck.de/
  2. 2. 2 WHO AM I? Hanno Böck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Started Fuzzing Project November 2014 Since May 2015: Supported by Linux Foundation's Core Infrastructure Initiative
  3. 3. 3 FUZZING? Throw garbage at software
  4. 4. 4
  5. 5. 5 FUZZING BINUTILS Hundreds of bugs
  6. 6. 6 THE C PROBLEM C/C++ responsible for many common bug classes (Buffer overflows, use after free etc.) Replacing C is good, but we'll have to live with it for a while Mitigation: Good, but incomplete.
  7. 7. 7 THE PAST Dumb fuzzing: Only finds the easy bugs Template-based fuzzing: a lot of work for each target
  8. 8. 8 AMERICAN FUZZY LOP
  9. 9. 9 AMERICAN FUZZY LOP (AFL) Smart fuzzing, quick and easy Code instrumentation Watches for new code paths
  10. 10. 10
  11. 11. 11 AFL SUCCESS STORIES Bash Shellshock variants (CVE-2014-{6277,6278}) Stagefright vulnerabilities (CVE-2015- {1538,3824,3827,3829,3864,3876,6602}) GnuPG (CVE-2015-{1606,1607,9087}) OpenSSH out-of-bounds in handshake OpenSSL (CVE-2015-{0288,0289,1788,1789,1790,3193}) BIND remote crashes (CVE-2015-{5477,2015,5986}) NTPD remote crash (CVE-2015-7855) Libreoffice GUI interaction crashes
  12. 12. 12 FUZZING MATH 0x0505 05050505 ² mod 0x41 41414141 41414141 41412741 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41418000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000005 = 0x19324B 647D967D 644B3219 ? = 0x34 34343434 34343434 34341F67 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676767 67676774 74747474 74747474 74746F41 41414141 41417373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73737373 73738000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0019324B 647D967D 644B321D ?
  13. 13. 13
  14. 14. 0x0F FFFFFFFF FFFFFFFF^0 mod 1 = 0 or 1 ?
  15. 15. 14 15 NETTLE ECC / NIST P256 point (0xFFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF 001C2C00, 0x9731275B 8E973CEA FD8ABF5A 6E16A177 F05A3451 14FBC752 7B3A60BC 65FE606A) * 1 != point (0xFFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFE FFFFFFFF 001C2C00 , 0x9731275B 8E973CEA FD8ABF5A 6E16A177 F05A3451 14FBC752 7B3A60BC 65FE606A )
  16. 16. 16 ADDRESS SANITIZER (ASAN) If you only take away one thing from this talk: Use Address Sanitizer! -fsanitize=address in gcc/clang
  17. 17. 17 SPOT THE BUG! int main() { int a[2] = {1, 0}; printf("%i", a[2]); }
  18. 18. 18
  19. 19. 19 ADDRESS SANITIZER HELPS Finds lots of hidden memory access bugs like out of bounds read/write (Stack, Heap, Global), use-after-free etc.
  20. 20. 20
  21. 21. 21 FINDING HEARTBLEED WITH AFL+ASAN Small OpenSSL handshake wrapper AFL finds Heartbleed within 6 hours LibFuzzer needs just 5 Minutes
  22. 22. 22 ADDRESS SANITIZER If ASAN catches all these typical C bugs... ... can we just use it in production?
  23. 23. 23 ASAN IN PRODUCTION Yes, but not for free 50 - 100 % CPU and memory overhead Example: Hardened Tor Browser
  24. 24. 24 GENTOO LINUX WITH ASAN Everything compiled with ASAN except a few core packages (gcc, glibc, dependencies)
  25. 25. 25 FIXING PACKAGES Memory access bugs in normal operation. These need to be fixed. bash, shred, python, syslog-ng, nasm, screen, monit, nano, dovecot, courier, proftpd, claws-mail, hexchat, ...
  26. 26. 26 PROBLEMS / CHALLENGES ASAN executable + non-ASAN library: fine ASAN library + non-ASAN executable: breaks Build system issues (mostly libtool) Custom memory management (boehm-gc, jemalloc, tcmalloc)
  27. 27. 27 IT WORKS Running server with real webpages. But: More bugs need to be fixed.
  28. 28. 28 OTHER TOOLS
  29. 29. 29 KASAN AND SYZCKALLER KASAN: ASAN for the Linux Kernel. syzkaller: syscall fuzzing similar to afl
  30. 30. 30 UNDEFINED BEHAVIOR SANITIZER (UBSAN) Finds code that is undefined in C Invalid shifts, int overflows, unaligned memory access, ... Problem: Just too many bugs, problems rare There's also TSAN (Thread sanitizer, race conditions) and MSAN (Memory Sanitizer, uninitialized memory)
  31. 31. 31 AFL AND NETWORKING Fuzzing network connections, experimental code by Doug Birdwell Usually a bit more brittle than file fuzzing Not widely used yet
  32. 32. 32 AFL AND ANDROID Implementation from Intel just released Promising (Stagefright) Android Security desperately needs it
  33. 33. 33 WHAT HAS THIS TO DO WITH FREE SOFTWARE? Remember the many eyes principle? "Free software is secure - because everyone can look at the source and find the bugs." We have to actually *do* that.
  34. 34. 34 QUESTION TO THE AUDIENCE Do you develop / maintain software? In C? Do you know / use Fuzzing and Address Sanitizer? If not: Why not?
  35. 35. 35 THANKS FOR LISTENING Use Address Sanitizer! Fuzz your software. Questions? https://fuzzing-project.org/

×